This is an old revision of the document!
Table of Contents
PFsense System Advanced Notification SMTP configuration
From:
Office365 SMTP Configuration for PFsense to relay mail to notification e-mail address. Note for testing always reenter the password.
pfsense ipv6 with comcast
From: https://r.wundrd.net/article/pfsense-ipv6-comcast/
go to Status: Interfaces page. Under your WAN interface section, you should see an IPv6 address (in addition to link local), a subnet mask ipv6 of 64, and a gateway ipv6. Note the ISP DNS Servers section should contain ipv6 addresses. Record one of those for later testing. Under the LAN interface section, you should see an IPv6 address (in addition to link local), and a subnet mask ipv6 of 64
CONFIGURING DHCP SERVER AND DYNAMIC DNS SERVICES
Configure PFSENSE to serve DNS names for Local Lan
If the DNS Forwarder is enabled, every DNS request from every interface will be processed by pfSense. Individual host records are checked first, and if a match is found, the associated IP address is immediately returned. By enabling the Register DHCP Static Mappings option, you won’t have to worry about creating DNS records for those devices. This is my preferred method of using pfSense as a DNS server. As long as we create a static mapping for every device on our network, their hostnames will resolve automatically. Using this method, we’ll only have to add explicit hostname records for devices that specify their own IP address (that is, devices that don’t use DHCP), which should be few and far between. Register DHCP Leases in DNS Forwarder If the Register DHCP Leases in DNS Forwarder option is enabled, pfSense will automatically register any devices that specify a hostname when submitting a DNS request. The downside, of course, is that not all devices submit a hostname and even when they do, it is sometimes cryptic. I prefer to only register important devices using DHCP static mappings, and all other (unimportant/unknown) devices can be referenced using their IP addresses.
How To Create And Configure VLANs In pfSense
From: https://www.iceflatline.com/2013/09/how-to-create-and-configure-vlans-in-pfsense/
In this post I will describe how to create and configure VLANs in pfSense. Once configured, you’ll be able to route (or prevent routing) traffic between each VLAN, and each VLAN will be able to share the same Internet connection. To help explain the steps involved, we’ll create two static VLANs on a 24-port switch and trunk those VLANs from the switch to the LAN interface on pfSense, where we will assign each VLAN a unique /24 private IP subnet.
Virtual IP and arp proxy
From: http://pfsensesetup.com/pfsense-virtual-ip-addresses-part-one/
A virtual IP address (VIP or VIPA) is an IP address that is not assigned to a specific single server or network interface card (NIC). Rather, it is assigned to multiple applications on a single server, multiple domain names, or multiple servers. Normally, a server IP address depends on the MAC address of the attached NIC, and only one logical IP may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address.
Filter Log Format for pfSense 2.2
From: https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2
Starting with pfSense 2.2, the raw filter log output generated by pfSense for its internal filter log and the log output transmitted over syslog to remote hosts has changed. The new log format is a single line containing comma-separated values that should be much easier to parse than the previous methods that involved guessing at various layouts and string contents of log data generated by pf.
CPU Temperature
These messages in log file a gazillion times:
Nov 26 13:30:25 192.168.1.249 kernel: arpresolve: can't allocate llinfo for 192.168.1.10 Solution: I had static routed a gateway to itself. 192.168.1.10 was a gateway to 192.168.0.0 net
CPU Temperature
From: http://doc.pfsense.org/index.php/What_Hardware_Monitoring_Is_Supported
sysctl hw.acpi.thermal hw.acpi.thermal.min_runtime: 0 hw.acpi.thermal.polling_rate: 10 hw.acpi.thermal.user_override: 0 hw.acpi.thermal.tz0.temperature: 19.0C <=> the temperature hw.acpi.thermal.tz0.active: -1 hw.acpi.thermal.tz0.passive_cooling: 1 hw.acpi.thermal.tz0.thermal_flags: 0 hw.acpi.thermal.tz0._PSV: 83.0C hw.acpi.thermal.tz0._HOT: -1 hw.acpi.thermal.tz0._CRT: 85.0C hw.acpi.thermal.tz0._ACx: 83.0C -1 -1 -1 -1 -1 -1 -1 -1 -1 hw.acpi.thermal.tz0._TC1: 4 hw.acpi.thermal.tz0._TC2: 3 hw.acpi.thermal.tz0._TSP: 60
Why can't I access forwarded ports on my WAN IP from my LAN/OPTx networks?
Method 2: Split DNS The more elegant solution to this problem involves using Split DNS. Basically this means that internal and external clients resolve your hostnames differently.
Squid log File Time Conversion
Squid Configuration
Cache management page
cache_mem 580 MB maximum_object_size_in_memory 64 KB memory_replacement_policy heap LFUDA cache_replacement_policy heap LFUDA cache_dir aufs /var/squid/cache 3500 16 256 minimum_object_size 0 KB maximum_object_size 8192 KB offline_mode off cache_swap_low 90 cache_swap_high 95 cache allow all
From: https://forum.pfsense.org/index.php?topic=16204.15
(my rig has 1GB ram minus some shared video ram) Here is my cache setup: Cache management page : Hard disk cache size = 2000 MB (more HDD space uses more RAM becarefull not set it too big) Memory cache size = 128 MB Minimum object size = 0 KB Maximum object size = 8192 KB (Squid default is 4096 KB) set this larger if you want too (32MB maybe) it depends on how much files are how large and how often you download these types of files. Read the squid visolve manual on caching policy (heap LFUDA). This not always stored in memory, it is the "cache" value!!! It can either be RAM or HDD. Memory replacement policy = heap LFUDA (RAM cache object handling) Cache replacement policy = heap LFUDA (HDD cache object handling) General settings page: Custom Options = redirect_program /usr/local/libexec/adzap;redirect_children 10;maximum_object_size_in_memory 128 KB; maximum_object_size_in_memory; I bumped that value up from the default 64KB because some sites (I visit often) use larger object than 64KB and so this raises the chance of objects being cached from RAM in stead of HDD cache. Play with this value a little in combination with the "Memory cache size" value, remember mine is set to 128MB ram being used. (128MB / 128KB = max. number of "large" objects cached directly from squid RAM. RAM is faster than HDD.) Don't over do these options it will do more harm than good over time...performance will suffer. Cache is cleaned automatically. How depends on the caching policy that is chosen. (LRU, Heap GDSF, Heap LFUDA, Heap LRU) When is controlled by the high and low water mark options in the "Cache management" page. Low-water-mark in % = 90 High-water-mark in % = 95 If the total cache is BIG the 5 % difference between the low- and high-water-mark can be many MBs or GBs of cache (real data). (Worst case) Your system could be constantly cleaning older objects from cache at 100% HDD speed if the low-water-mark was reached. And caching speed would suffer greatly.
http://forum.pfsense.org/index.php?PHPSESSID=783a119759ebc298a3d99d016a4f1f16&/topic,11001.0.html
Proxy server: General settings Proxy server: Cache management
From: https://calomel.org/squid.html
How do I test if the headers a being changed by squid correctly?
Filtering HTTPS / SSL Traffic on pfSense
From: https://forum.pfsense.org/index.php?topic=72528.0
This article will tell you how to install and configure Squid proxy capable of filtering encrypted HTTPS connections using Diladele Web Safety ICAP content filtering server running on pfSense
Traffic Shaper in pfSense 2.0
From: http://www.hammerweb.com/blog/2011/09/traffic-shaper-in-pfsense-2-0/
Good review of PRIQ. Don't fully understand the rules he set up.
Have you recently upgraded from pfsense 1.2.3 to pfsense 2.0? Are you having difficulty getting the traffic shaper to work properly? A significant change in how the traffic shaper works between these releases, combined with a lack of documentation created a very frustrating situation.
http://forum.pfsense.org/index.php?topic=12601.0
Good discussion by davertron
http://devwiki.pfsense.org/HFSCBandwidthShapingNotes
* in hfsc, “realtime” is the scheduler used to guarantee upper bound delay for a class it is valid only for child queues. “Linkshare” shares the bandwidth between classes if available, and a hard limit for a “linkshare” specification can be set by “upperlimit”.
* if you DO not specify “linkshare”, you should specify bandwidth.
Investigate links here
Technical Explaination
http://linux-ip.net/articles/hfsc.en/
http://linux-ip.net/articles/hfsc.en/
http://forum.pfsense.org/index.php/topic,1384.0.html
https://calomel.org/pf_hfsc.html
http://forum.pfsense.org/index.php?topic=12601.0 Better: http://forum.pfsense.org/index.php?topic=11986.0
---qTotalBandwidth (Value of upload bandwidth ) ------qSubnet1 (50% bandwidth) --------------q1VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb) --------------q1VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb) --------------q1HTTP (bandwidth 30%) ------qSubnet2 (50% bandwidth) --------------q2VoIP (bandwidth 10% realtime m1 = 1.2Kb d = 30 m2 = 64Kb) --------------q2VNC (bandwidth 10% realtime m1 = 6Kb d = 50 m2 = 128Kb) --------------q2HTTP (bandwidth 30%) ------qPenalty (bandwidth 10% default upperlimit m2 = 10%)
Monitoring PF Firewalls For Health And Performance
Downstream queues should not be assigned to LAN interfaces
http://redmine.pfsense.org/issues/749
I haven't had time to test it yet, but what I believe this is referring to is the queue for Internet traffic being attached to the WAN interface, so traffic from one internal interface to another internal interface (such as routing between VLANs or multiple physical interfaces) is limited as if it were Internet traffic. That may not be the case.
pfSense can do several tasks at one, such as being a WAN router as well as bridging multiple LAN interfaces at the same time. The problem is when bridging LAN interfaces and the traffic shaper is restricting bandwidth, the shaper will delay say a Gbit LAN connection to the WAN's speed. As such downstream bandwidth needs to be shaped on the incoming traffic on the WAN interface, not on outgoing traffic from the LAN interface.